RECORD OF PROCESSING ACTIVITIES
Most organisations that process personal data in the EU must keep a Record of Processing Activities under GDPR Article 30. Compass builds yours automatically from the processing your workspace actually records — and marks every field by how it is backed.
WHO NEEDS ONE
Article 30 requires a written record of your processing activities. The under-250-employee exemption is narrow — it falls away the moment processing is regular, touches special-category data, or is not occasional, which covers most active businesses. When a supervisory authority asks, the register is the first document they request.
WHAT ARTICLE 30 ASKS FOR
For each processing activity the register captures the fields the regulation names. Compass fills them from what your workspace knows.
CONTROLLER
Who you are — entity, registered address, contact, and the data-protection contact.
PURPOSE
Why each activity processes personal data.
CATEGORIES OF DATA SUBJECTS
Whose data it is — clients, employees, prospects.
CATEGORIES OF PERSONAL DATA
What is processed — contact details, financial data, and any special categories.
RECIPIENTS
Who the data is disclosed to.
THIRD-COUNTRY TRANSFERS
Any transfer outside the EEA, and the safeguard relied on.
RETENTION
How long each category is kept before it is erased.
EVERY FIELD CARRIES ITS PROVENANCE
The register is a provenanced projection, not a fill-in form. Each field is marked so you and an auditor can tell apart what is proven, what is asserted, and what is missing.
✓
Evidence
Backed by a verifiable receipt your workspace minted — for example a recorded retention period or a completed erasure.
•
Asserted
Drawn from information you provided. True if your input is true.
⚠
Gap
Required by Article 30 but not yet recorded. The register flags it instead of inventing it.
EXPORT THAT TRAVELS
Produce the register on demand in the format the moment calls for — to read, to file, or to hand over with proof attached.
YOUR RESPONSIBILITY
This register is generated from the information you provided and the activity recorded in your workspace. You own the accuracy and completeness of the entries. A ✓ marks an entry backed by a verifiable receipt; a • marks information you asserted; a ⚠ marks an entry you still need to complete. It covers the processing your Hub workspace records, not processing that happens elsewhere — and it is not legal advice. Legal review is recommended.
FAQ
A Record of Processing Activities is the written inventory of how an organisation processes personal data, required by Article 30 of the GDPR. It lists, for each activity, the purpose, the categories of people and data, recipients, any third-country transfers, and retention periods.
Most controllers and processors in the EU. The exemption for organisations under 250 employees is narrow — it does not apply where processing is regular, is likely to risk people's rights, or involves special categories of data, which describes most active businesses.
Compass reads the processing your Dekimu Hub workspace already records and maps it onto the Article 30 fields. It marks each field as backed by a verifiable receipt, asserted from your input, or an open gap — so the register reflects your real activity rather than a blank template.
Yes. The register exports as human-readable Markdown, as structured JSON, or as a signed ropa.register.v1 receipt that lets the exported version be independently verified later as exactly what Compass produced on that date.
No. The register is a working document that reflects what your workspace has recorded. You own the accuracy and completeness of the entries, it covers only the processing recorded in your workspace, and it is not legal advice. Legal review is recommended.
RoPA is part of Compass inside Dekimu Hub at app.dekimu.com, a Pro feature. This page is a public explainer; the live register is in the gated dashboard.
REFERENCES
RoPA is a compliance-management tool, not a law firm. It does not provide legal advice and does not certify compliance. The register reflects the information and activity recorded in your workspace; you remain responsible for its accuracy and completeness.